Interview: NHS urged to act now to prepare for GDPR

Guy Bunker of Clearswift explains what NHS organisations need to do to prepare for the General Data Protection Regulation, which comes into force in May

Guy Bunker

Technology is not the silver bullet that will help the NHS to meet its responsibilities under the soon-to-be-enforced General Data Protection Regulation (GDPR), warn industry experts.

Although made law in 2016, the GDPR will only begin to be legally enforced from 25 May this year, and this move has huge implications for healthcare organisations and any third-party groups they may share information with.

GDPR is very important to all organisations, but particularly health trusts, which hold an awful lot of personal information about patients

The GDPR is designed to enable individuals to be more in control of their personal data and puts the onus on healthcare trusts to ensure they know exactly what information they hold, how it is used, and who can access it.

Any breach of the regulations could see individual organisations fined up to staggering £20m or 4% of their global turnover.

Speaking to BBH, Guy Bunker, senior vice president of products at Clearswift, explains: “Data loss incidents have been around for a long time. The first very-big breaches happened more than 10 years ago and people suddenly sat up and thought ‘this could cause us problems’. Now not a day goes by when we don’t hear of something.”

Last year’s crippling Wannacry cyber attack highlighted problems in the system, with the NHS suffering a huge loss of service as it struggled to get systems back online.

“GDPR is very important to all organisations, but particularly health trusts, which hold an awful lot of personal information about patients,” said Bunker.

“It’s about protecting information and, when it comes to healthcare, it’s right to do that.”

He compared the arrival of GDPR to the introduction, several years ago of the Payment Card Industry Data Security Standard, which increased controls around cardholder data to reduce credit card fraud.

“People sat up and took notice when that happened,” he said, “and I think the same is happening with GDPR.”

The key for health trusts is to make sure they know exactly what information they have, where it is held, who has access to it, and what it is used for.

The challenge is to know when to stop analysing and to do something about it

“Trusts have lots of different systems in lots of different places as information is processed and communicated,” Bunker said.

“It might be in databases or in reports and it’s finding out where it is and how it is communicated and shared. Are people using email or personal phones, for example?

“We need to understand where everything is before we can do anything about it.”

Reducing the number of places information is stored is vital, and with some large companies, including health trusts, analysis can help to reduce the number of places 10-fold.

Health trusts will also need to consider companies and organisations they share information with – such as pharmacies, drug companies and charities or other service providers – as, under the new rules, any requests to change data held on a particular person must filter through to any third party who has copies of that information.

“It’s vital trusts first look at communication flows and locate data so they have a full picture,” said Bunker.

But he warned: “The challenge is to know when to stop analysing and to do something about it.

“You can end up going to the nth degree and getting analysis paralysis, but at some point you need to take action.”

Once an organisation has a feeling for where the information is, Bunker advises reading the GDPR documents to ensure everyone is familiar with the changes.

“Really important,” he said, “is making sure you know what is going on in the real world, not just what is written down in policies.

“Do people use Dropbox or Instagram or USB sticks to send and store data? Understanding how these processes really do work is vital.”

The next step is to do a gap analysis.

“Everyone has people and processes and technology in their organisation.

Unfortunately there’s no technology silver bullet that will make you compliant with GDPR. But there is technology that can help once you see where the problems remain

“First you look at people and see what they do, making sure you change the education and awareness.

“Then, and only then, do you start to look at how technology can help.

“Technology should be last thing once you understand what you are trying to do, rather than saying to yourself ‘encryption will solve all problems’.

“Unfortunately there’s no technology silver bullet that will make you compliant with GDPR. But there is technology that can help once you see where the problems remain.

“Sometimes you have the software that can help; you just don’t know it’s there because you’ve never needed to use it. It’s worth speaking to your technology provider and seeing what they have available to you. Then you can use additional technology to plug any gaps.”

Encryption is a useful tool for health trusts, but so too are compliance solutions, which will help to keep track of the information lifecycle and, most importantly, any changes patients requests.

“Organisations which spend their time worrying about fines are missing the point,” concludes Bunker.

“It’s about doing stuff now so you don’t get fined.

“There are things health trusts should be doing and they should be doing them now to make sure they are ready and prepared for May.”